CVE-2024-33662 – Portainer before version 2.20.2 uses an imprope... (How to Fix)

Q: What is the severity of CVE-2024-33662?

CVE-2024-33662 has a CVSS score of 7.5 (HIGH). Portainer before version 2.20.2 uses an improper encryption algorithm in its AesEncrypt function, potentially allowing attackers to decrypt sensitive data. This affects all Portainer deployments using vulnerable versions. The vulnerability stems from insufficient cryptographic strength in data protection mechanisms.

📋 TL;DR

Portainer before version 2.20.2 uses an improper encryption algorithm in its AesEncrypt function, potentially allowing attackers to decrypt sensitive data. This affects all Portainer deployments using vulnerable versions. The vulnerability stems from insufficient cryptographic strength in data protection mechanisms.

💻 Affected Systems

Products:

Portainer

Versions: All versions before 2.20.2

Operating Systems: All platforms running Portainer

Default Config Vulnerable: ⚠️ Yes

Notes: All Portainer deployments using the vulnerable encryption function are affected regardless of configuration.

📦 What is this software?

Portainer by Portainer

View all CVEs affecting Portainer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could decrypt stored credentials, API tokens, and configuration data, leading to complete compromise of the Portainer instance and potentially underlying Docker/Kubernetes environments.

🟠

Likely Case

Unauthorized access to encrypted data within Portainer, potentially exposing sensitive configuration information and credentials.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, though encrypted data remains vulnerable to decryption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to encrypted data and cryptographic analysis capabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.20.2

Vendor Advisory: https://github.com/portainer/portainer/issues/11737

Restart Required: Yes

Instructions:

1. Backup your Portainer data. 2. Stop the Portainer service. 3. Update to Portainer 2.20.2 or later. 4. Restart the Portainer service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Access Controls

all

Implement strict network access controls to limit who can access the Portainer instance.

Monitor for Unusual Activity

all

Increase monitoring of Portainer logs and network traffic for suspicious access patterns.

🧯 If You Can't Patch

Isolate Portainer instance from internet and restrict internal network access
Implement additional encryption layer for sensitive data stored by Portainer

🔍 How to Verify

Check if Vulnerable:

Check Portainer version via web interface or API. Versions below 2.20.2 are vulnerable.

Check Version:

docker exec portainer portainer --version

Verify Fix Applied:

Confirm Portainer version is 2.20.2 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns
Multiple failed decryption attempts
Unexpected access to encryption functions

Network Indicators:

Unusual outbound connections from Portainer instance
Traffic patterns suggesting data exfiltration

SIEM Query:

source="portainer" AND (event="authentication_failure" OR event="encryption_error")

📊 Metadata

CVE ID: CVE-2024-33662

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-326

Published: October 2, 2024

Last Updated: May 21, 2025

🔗 References

https://github.com/portainer/portainer/compare/2.20.1...2.20.2 Product
https://github.com/portainer/portainer/issues/11737 Issue Tracking
https://www.portainer.io Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33662, you might also want to check these: